Rocket.Chat: API Keys Hardcoded in Github repository

ID H1:766346
Type hackerone
Reporter codermak
Modified 2020-04-01T13:49:25


> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report!

Summary: API Keys is hard coded in one of the GitHub repository

Description: Key and google-services.json file is publically available in the RocketChat Android repository.

Releases Affected:

  • Latest Github Code

Steps To Reproduce (from initial installation to vulnerability):

(Add details for how we can reproduce the issue)

Fabric API Key

  1. Go to this URL
  2. Scroll down to the bottom
  3. You will see fabric APIKey hardcoded there


  1. Go to
  2. You can see the complete google services config file

Supporting Material/References:

  • Screenshot in attachment

Suggested mitigation

  • Keys should not be pushed to the public repository


  1. Using Fabric key some attacker can mess up the complete analytics of the RocketChat Android App
  2. google-services.json can be used to access google services of RocketChats google account